Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWNqamMteHA4di04NTV3

High EPSS: 0.00627% (0.69209 Percentile) EPSS:
Permalink JSON

Helm uses crypto package vulnerable to panic from malformed X.509 certificate

Affected Packages Affected Versions Fixed Versions
go:helm.sh/helm/v3 >= 3.0.0, < 3.1.0 3.1.0
1,580 Dependent packages
5,000 Dependent repositories

Affected Version Ranges

All affected versions

3.0.0, 3.0.1, 3.0.2, 3.0.3

All unaffected versions

3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.4.0, 3.4.1, 3.4.2, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1, 3.8.2, 3.9.0, 3.9.1, 3.9.2, 3.9.3, 3.9.4, 3.10.0, 3.10.1, 3.10.2, 3.10.3, 3.11.0, 3.11.1, 3.11.2, 3.11.3, 3.12.0, 3.12.1, 3.12.2, 3.12.3, 3.13.0, 3.13.1, 3.13.2, 3.13.3, 3.14.0, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.15.0, 3.15.1, 3.15.2, 3.15.3, 3.15.4, 3.16.0, 3.16.1, 3.16.2, 3.16.3, 3.16.4, 3.17.0, 3.17.1, 3.17.2, 3.17.3, 3.17.4, 3.18.0, 3.18.1, 3.18.2, 3.18.3, 3.18.4
go:golang.org/x/crypto < 0.0.0-20200124225646-8b5121be2f68 0.0.0-20200124225646-8b5121be2f68
125,672 Dependent packages
269,003 Dependent repositories

Affected Version Ranges

All affected versions

All unaffected versions

0.1.0, 0.2.0, 0.3.0, 0.4.0, 0.5.0, 0.6.0, 0.7.0, 0.8.0, 0.9.0, 0.10.0, 0.11.0, 0.12.0, 0.13.0, 0.14.0, 0.15.0, 0.16.0, 0.17.0, 0.18.0, 0.19.0, 0.20.0, 0.21.0, 0.22.0, 0.23.0, 0.24.0, 0.25.0, 0.26.0, 0.27.0, 0.28.0, 0.29.0, 0.30.0, 0.31.0, 0.32.0, 0.33.0, 0.34.0, 0.35.0, 0.36.0, 0.37.0, 0.38.0, 0.39.0, 0.40.0
go:github.com/helm/helm >= 2.0.0, < 2.16.8 2.16.8
9 Dependent packages
45 Dependent repositories

Affected Version Ranges

All affected versions

2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.4.2, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, 2.7.2, 2.8.0, 2.8.1, 2.8.2, 2.9.0, 2.9.1, 2.10.0, 2.11.0, 2.12.0, 2.12.1, 2.12.2, 2.12.3, 2.13.0, 2.13.1, 2.14.0, 2.14.1, 2.14.2, 2.14.3, 2.15.0, 2.15.1, 2.15.2, 2.16.0, 2.16.1, 2.16.2, 2.16.3, 2.16.4, 2.16.5, 2.16.6, 2.16.7

All unaffected versions

1.2.1, 2.16.8, 2.16.9, 2.16.10, 2.16.11, 2.16.12, 2.17.0

The Helm core maintainers have identified a high severity security vulnerability in Go's crypto package affecting all versions prior to Helm 2.16.8 and Helm 3.1.0.

Thanks to @ravin9249 for identifying the vulnerability.

Impact

Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients resulting in a panic via a malformed X.509 certificate. This may allow a remote attacker to cause a denial of service.

Patches

A patch to compile Helm against Go 1.14.4 has been provided for Helm 2 and is available in Helm 2.16.8. Helm 3.1.0 and newer are compiled against Go 1.13.7+.

Workarounds

No workaround is available. Users are urged to upgrade.

References

For more information

If you have any questions or comments about this advisory:

References:

Identifiers

GHSA-cjjc-xp8v-855w

CVE-2020-7919

Risk

Severity

High

EPSS

EPSS Percentage: 0.00627

EPSS Percentile: 0.69209

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/helm/helm

Date and time

Published

about 4 years ago

Updated

about 1 year ago

API

JSON